├── .github ├── PULL_REQUEST_TEMPLATE.md └── workflows │ ├── ci.yml │ └── publish.yml ├── .gitignore ├── LICENSE ├── Makefile ├── OWNERS ├── README.md ├── examples ├── tls_sub_events.py ├── unixsocket_get_events.py ├── unixsocket_get_version.py └── unixsocket_sub_events.py ├── falco ├── __init__.py ├── __version__.py ├── client.py ├── client_credentials.py ├── domain │ ├── __init__.py │ ├── common.py │ ├── outputs.py │ └── version.py ├── errors.py ├── schema │ ├── __init__.py │ ├── outputs_pb2.py │ ├── schema_pb2.py │ └── version_pb2.py └── svc │ ├── __init__.py │ ├── outputs_pb2_grpc.py │ ├── schema_pb2_grpc.py │ └── version_pb2_grpc.py ├── protos ├── outputs.proto ├── schema.proto └── version.proto ├── pyproject.toml ├── requirements-dev.txt ├── requirements.txt ├── setup.cfg ├── setup.py └── tests ├── __init__.py ├── conftest.py ├── domain ├── __init__.py ├── test_outputs.py └── test_version.py ├── mock.py └── test_client.py /.github/PULL_REQUEST_TEMPLATE.md: -------------------------------------------------------------------------------- 1 | 8 | 9 | **What type of PR is this?** 10 | 11 | > Uncomment one (or more) `/kind <>` lines: 12 | 13 | > /kind bug 14 | 15 | > /kind cleanup 16 | 17 | > /kind documentation 18 | 19 | > /kind tests 20 | 21 | > /kind feature 22 | 23 | 26 | 27 | **Any specific area of the project related to this PR?** 28 | 29 | > Uncomment one (or more) `/area <>` lines: 30 | 31 | > /area api 32 | 33 | > /area client 34 | 35 | > /area examples 36 | 37 | > /area build 38 | 39 | 42 | 43 | **What this PR does / why we need it**: 44 | 45 | **Which issue(s) this PR fixes**: 46 | 47 | 52 | 53 | Fixes # 54 | 55 | **Special notes for your reviewer**: 56 | 57 | **Does this PR introduce a user-facing change?**: 58 | 59 | 66 | 67 | ```release-note 68 | 69 | ``` -------------------------------------------------------------------------------- /.github/workflows/ci.yml: -------------------------------------------------------------------------------- 1 | name: Falco CI 2 | 3 | on: [push, pull_request] 4 | 5 | jobs: 6 | build: 7 | runs-on: ubuntu-latest 8 | strategy: 9 | matrix: 10 | python-version: [3.6, 3.7, 3.8] 11 | steps: 12 | - uses: actions/checkout@v2 13 | - name: setup Python ${{ matrix.python-version }} 14 | uses: actions/setup-python@v1 15 | with: 16 | python-version: ${{ matrix.python-version }} 17 | - name: Install dependencies 18 | run: | 19 | python -m pip install -U pip 20 | pip install -r requirements-dev.txt 21 | - name: Lint 22 | run: | 23 | flake8 24 | isort -rc . --check 25 | black . --check 26 | - name: Test 27 | run: | 28 | python -m tests.mock & 29 | pytest tests/ 30 | -------------------------------------------------------------------------------- /.github/workflows/publish.yml: -------------------------------------------------------------------------------- 1 | name: Falco Publish 2 | 3 | on: 4 | release: 5 | types: [created] 6 | 7 | jobs: 8 | deploy: 9 | runs-on: ubuntu-latest 10 | steps: 11 | - uses: actions/checkout@v2 12 | - name: setup Python 13 | uses: actions/setup-python@v1 14 | with: 15 | python-version: '3.x' 16 | - name: Install dependencies 17 | run: | 18 | python -m pip install -U pip 19 | pip install setuptools wheel twine 20 | - name: Build and publish 21 | env: 22 | TWINE_USERNAME: ${{ secrets.PYPI_USERNAME }} 23 | TWINE_PASSWORD: ${{ secrets.PYPI_PASSWORD }} 24 | run: | 25 | python setup.py sdist bdist_wheel 26 | twine upload dist/* 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | .pytest_cache/ 4 | *.py[cod] 5 | 6 | # Proto files 7 | **/*.proto 8 | 9 | # Setuptools distribution folder. 10 | /dist/ 11 | 12 | # Python egg metadata, regenerated from source files by setuptools. 13 | /*.egg-info 14 | /*.egg 15 | /*.eggs 16 | 17 | # Vim 18 | *.swp 19 | *.swo 20 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | 2 | Apache License 3 | Version 2.0, January 2004 4 | http://www.apache.org/licenses/ 5 | 6 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 7 | 8 | 1. Definitions. 9 | 10 | "License" shall mean the terms and conditions for use, reproduction, 11 | and distribution as defined by Sections 1 through 9 of this document. 12 | 13 | "Licensor" shall mean the copyright owner or entity authorized by 14 | the copyright owner that is granting the License. 15 | 16 | "Legal Entity" shall mean the union of the acting entity and all 17 | other entities that control, are controlled by, or are under common 18 | control with that entity. For the purposes of this definition, 19 | "control" means (i) the power, direct or indirect, to cause the 20 | direction or management of such entity, whether by contract or 21 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 22 | outstanding shares, or (iii) beneficial ownership of such entity. 23 | 24 | "You" (or "Your") shall mean an individual or Legal Entity 25 | exercising permissions granted by this License. 26 | 27 | "Source" form shall mean the preferred form for making modifications, 28 | including but not limited to software source code, documentation 29 | source, and configuration files. 30 | 31 | "Object" form shall mean any form resulting from mechanical 32 | transformation or translation of a Source form, including but 33 | not limited to compiled object code, generated documentation, 34 | and conversions to other media types. 35 | 36 | "Work" shall mean the work of authorship, whether in Source or 37 | Object form, made available under the License, as indicated by a 38 | copyright notice that is included in or attached to the work 39 | (an example is provided in the Appendix below). 40 | 41 | "Derivative Works" shall mean any work, whether in Source or Object 42 | form, that is based on (or derived from) the Work and for which the 43 | editorial revisions, annotations, elaborations, or other modifications 44 | represent, as a whole, an original work of authorship. For the purposes 45 | of this License, Derivative Works shall not include works that remain 46 | separable from, or merely link (or bind by name) to the interfaces of, 47 | the Work and Derivative Works thereof. 48 | 49 | "Contribution" shall mean any work of authorship, including 50 | the original version of the Work and any modifications or additions 51 | to that Work or Derivative Works thereof, that is intentionally 52 | submitted to Licensor for inclusion in the Work by the copyright owner 53 | or by an individual or Legal Entity authorized to submit on behalf of 54 | the copyright owner. For the purposes of this definition, "submitted" 55 | means any form of electronic, verbal, or written communication sent 56 | to the Licensor or its representatives, including but not limited to 57 | communication on electronic mailing lists, source code control systems, 58 | and issue tracking systems that are managed by, or on behalf of, the 59 | Licensor for the purpose of discussing and improving the Work, but 60 | excluding communication that is conspicuously marked or otherwise 61 | designated in writing by the copyright owner as "Not a Contribution." 62 | 63 | "Contributor" shall mean Licensor and any individual or Legal Entity 64 | on behalf of whom a Contribution has been received by Licensor and 65 | subsequently incorporated within the Work. 66 | 67 | 2. Grant of Copyright License. Subject to the terms and conditions of 68 | this License, each Contributor hereby grants to You a perpetual, 69 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 70 | copyright license to reproduce, prepare Derivative Works of, 71 | publicly display, publicly perform, sublicense, and distribute the 72 | Work and such Derivative Works in Source or Object form. 73 | 74 | 3. Grant of Patent License. Subject to the terms and conditions of 75 | this License, each Contributor hereby grants to You a perpetual, 76 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 77 | (except as stated in this section) patent license to make, have made, 78 | use, offer to sell, sell, import, and otherwise transfer the Work, 79 | where such license applies only to those patent claims licensable 80 | by such Contributor that are necessarily infringed by their 81 | Contribution(s) alone or by combination of their Contribution(s) 82 | with the Work to which such Contribution(s) was submitted. If You 83 | institute patent litigation against any entity (including a 84 | cross-claim or counterclaim in a lawsuit) alleging that the Work 85 | or a Contribution incorporated within the Work constitutes direct 86 | or contributory patent infringement, then any patent licenses 87 | granted to You under this License for that Work shall terminate 88 | as of the date such litigation is filed. 89 | 90 | 4. Redistribution. You may reproduce and distribute copies of the 91 | Work or Derivative Works thereof in any medium, with or without 92 | modifications, and in Source or Object form, provided that You 93 | meet the following conditions: 94 | 95 | (a) You must give any other recipients of the Work or 96 | Derivative Works a copy of this License; and 97 | 98 | (b) You must cause any modified files to carry prominent notices 99 | stating that You changed the files; and 100 | 101 | (c) You must retain, in the Source form of any Derivative Works 102 | that You distribute, all copyright, patent, trademark, and 103 | attribution notices from the Source form of the Work, 104 | excluding those notices that do not pertain to any part of 105 | the Derivative Works; and 106 | 107 | (d) If the Work includes a "NOTICE" text file as part of its 108 | distribution, then any Derivative Works that You distribute must 109 | include a readable copy of the attribution notices contained 110 | within such NOTICE file, excluding those notices that do not 111 | pertain to any part of the Derivative Works, in at least one 112 | of the following places: within a NOTICE text file distributed 113 | as part of the Derivative Works; within the Source form or 114 | documentation, if provided along with the Derivative Works; or, 115 | within a display generated by the Derivative Works, if and 116 | wherever such third-party notices normally appear. The contents 117 | of the NOTICE file are for informational purposes only and 118 | do not modify the License. You may add Your own attribution 119 | notices within Derivative Works that You distribute, alongside 120 | or as an addendum to the NOTICE text from the Work, provided 121 | that such additional attribution notices cannot be construed 122 | as modifying the License. 123 | 124 | You may add Your own copyright statement to Your modifications and 125 | may provide additional or different license terms and conditions 126 | for use, reproduction, or distribution of Your modifications, or 127 | for any such Derivative Works as a whole, provided Your use, 128 | reproduction, and distribution of the Work otherwise complies with 129 | the conditions stated in this License. 130 | 131 | 5. Submission of Contributions. Unless You explicitly state otherwise, 132 | any Contribution intentionally submitted for inclusion in the Work 133 | by You to the Licensor shall be under the terms and conditions of 134 | this License, without any additional terms or conditions. 135 | Notwithstanding the above, nothing herein shall supersede or modify 136 | the terms of any separate license agreement you may have executed 137 | with Licensor regarding such Contributions. 138 | 139 | 6. Trademarks. This License does not grant permission to use the trade 140 | names, trademarks, service marks, or product names of the Licensor, 141 | except as required for reasonable and customary use in describing the 142 | origin of the Work and reproducing the content of the NOTICE file. 143 | 144 | 7. Disclaimer of Warranty. Unless required by applicable law or 145 | agreed to in writing, Licensor provides the Work (and each 146 | Contributor provides its Contributions) on an "AS IS" BASIS, 147 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 148 | implied, including, without limitation, any warranties or conditions 149 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 150 | PARTICULAR PURPOSE. You are solely responsible for determining the 151 | appropriateness of using or redistributing the Work and assume any 152 | risks associated with Your exercise of permissions under this License. 153 | 154 | 8. Limitation of Liability. In no event and under no legal theory, 155 | whether in tort (including negligence), contract, or otherwise, 156 | unless required by applicable law (such as deliberate and grossly 157 | negligent acts) or agreed to in writing, shall any Contributor be 158 | liable to You for damages, including any direct, indirect, special, 159 | incidental, or consequential damages of any character arising as a 160 | result of this License or out of the use or inability to use the 161 | Work (including but not limited to damages for loss of goodwill, 162 | work stoppage, computer failure or malfunction, or any and all 163 | other commercial damages or losses), even if such Contributor 164 | has been advised of the possibility of such damages. 165 | 166 | 9. Accepting Warranty or Additional Liability. While redistributing 167 | the Work or Derivative Works thereof, You may choose to offer, 168 | and charge a fee for, acceptance of support, warranty, indemnity, 169 | or other liability obligations and/or rights consistent with this 170 | License. However, in accepting such obligations, You may act only 171 | on Your own behalf and on Your sole responsibility, not on behalf 172 | of any other Contributor, and only if You agree to indemnify, 173 | defend, and hold each Contributor harmless for any liability 174 | incurred by, or claims asserted against, such Contributor by reason 175 | of your accepting any such warranty or additional liability. 176 | 177 | END OF TERMS AND CONDITIONS 178 | 179 | Copyright 2019 The Falco Authors 180 | 181 | Licensed under the Apache License, Version 2.0 (the "License"); 182 | you may not use this file except in compliance with the License. 183 | You may obtain a copy of the License at 184 | 185 | http://www.apache.org/licenses/LICENSE-2.0 186 | 187 | Unless required by applicable law or agreed to in writing, software 188 | distributed under the License is distributed on an "AS IS" BASIS, 189 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 190 | See the License for the specific language governing permissions and 191 | limitations under the License. 192 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SHELL := /bin/bash 2 | 3 | # This builds using 'python -m grpc_tools.protoc' and not the protoc binary 4 | # pip install grpcio grpcio-tools to install this module 5 | 6 | PROTOS := protos/schema.proto protos/outputs.proto protos/version.proto 7 | PROTO_URLS := https://raw.githubusercontent.com/falcosecurity/falco/master/userspace/falco/schema.proto https://raw.githubusercontent.com/falcosecurity/falco/master/userspace/falco/outputs.proto https://raw.githubusercontent.com/falcosecurity/falco/master/userspace/falco/version.proto 8 | PROTO_SHAS := ad4e9d62717e82b9fb9ec30625d392fd66ced3e53eb73faea739c63063650ac3 18fa7f7a4870ae0e0703c775fda41362aa654445893546d9b2d49f59dd487026 c57a8a3f37a14ca8f33ce6d26156c9348e716029bca87bf9143807a68b1f31f5 9 | 10 | PROTO_DIRS := $(dir ${PROTOS}) 11 | PROTO_DIRS_INCLUDES := $(patsubst %/, -I %, ${PROTO_DIRS}) 12 | 13 | SCHEMA_OUT_DIR := falco/schema 14 | GRPC_OUT_DIR := falco/svc 15 | 16 | .PHONY: protos 17 | protos: ${PROTOS} 18 | 19 | # $(1): the proto path 20 | # $(2): the proto URL 21 | # $(3): the proto SHA256 22 | define download_rule 23 | $(1): 24 | @rm -f $(1) 25 | @mkdir -p ${PROTO_DIRS} ${SCHEMA_OUT_DIR} ${GRPC_OUT_DIR} 26 | @curl --silent -Lo $(1) $(2) 27 | @echo $(3) $(1) | sha256sum -c 28 | @sed -i '/option go_package/d' $(1) 29 | python -m grpc_tools.protoc -Iprotos --python_out=${SCHEMA_OUT_DIR} --grpc_python_out=${GRPC_OUT_DIR} $(1) 30 | endef 31 | 32 | $(foreach PROTO,$(PROTOS),\ 33 | $(eval $(call download_rule,$(PROTO),$(firstword $(PROTO_URLS)),$(firstword $(PROTO_SHAS))))\ 34 | $(eval PROTO_URLS := $(wordlist 2,$(words $(PROTO_URLS)),$(PROTO_URLS)))\ 35 | $(eval PROTO_SHAS := $(wordlist 2,$(words $(PROTO_SHAS)),$(PROTO_SHAS)))\ 36 | ) 37 | 38 | .PHONY: clean 39 | clean: ${PROTO_DIRS} 40 | @rm -rf $^ 41 | 42 | lint: 43 | flake8 44 | isort -rc . 45 | black . 46 | 47 | test: 48 | python -m tests.mock & 49 | pytest -vv --color=yes tests/ 50 | -------------------------------------------------------------------------------- /OWNERS: -------------------------------------------------------------------------------- 1 | approvers: 2 | - leodido 3 | - mmat11 4 | reviewers: 5 | - leodido 6 | - markyjackson-taulia 7 | - mmat11 8 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # client-py 2 | 3 | > Python client and SDK for Falco 4 | 5 | ## Usage 6 | 7 | ### Output subscribe 8 | 9 | ```python 10 | import falco 11 | client = falco.Client(endpoint="localhost:5060", client_crt="/tmp/client.crt", client_key="/tmp/client.key", ca_root="/tmp/ca.crt") 12 | for event in client.sub()): 13 | print(event) 14 | ``` 15 | 16 | or try it directly (make sure you have the client certificates in `/tmp` or use the unix socket address), for example: 17 | 18 | ``` 19 | python -m examples.tls_sub_events -o json 20 | python -m examples.unixsocket_get_events -o json 21 | python -m examples.unixsocket_get_version 22 | ``` 23 | 24 | ### Output format 25 | 26 | Currently there are two output formats available: JSON and Python classes. 27 | To change output format, pass the `output_format` parameter to the Client object. 28 | 29 | ## Development 30 | 31 | ### Dependencies 32 | 33 | To install development dependencies, run `pip install -r requirements-dev.txt`. 34 | 35 | ### Update protos 36 | 37 | Perform the following edits to the Makefile: 38 | 39 | 1. Update the PROTOS array with the destination path of the .proto file. 40 | 2. Update the PROTO_URLS array with the URL from which to download it. 41 | 3. Update thr PROTO_SHAS array with the SHA256 sum of the file to download. 42 | 4. Execute the following commands: 43 | 44 | ```console 45 | make clean 46 | make protos 47 | ``` 48 | 49 | ### Tests 50 | 51 | To run the tests, run `make test`. 52 | 53 | ### Misc 54 | 55 | To format the code, run `make lint`. 56 | -------------------------------------------------------------------------------- /examples/tls_sub_events.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | import falco 4 | 5 | if __name__ == "__main__": 6 | parser = argparse.ArgumentParser() 7 | parser.add_argument("--output-format", "-o", dest="output_format", default=None, help="output_format") 8 | args = parser.parse_args() 9 | 10 | c = falco.Client( 11 | endpoint="localhost:5060", 12 | client_crt="/tmp/client.crt", 13 | client_key="/tmp/client.key", 14 | ca_root="/tmp/ca.crt", 15 | output_format=args.output_format, 16 | ) 17 | 18 | for event in c.sub(): 19 | print(event) 20 | -------------------------------------------------------------------------------- /examples/unixsocket_get_events.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | import falco 4 | 5 | if __name__ == "__main__": 6 | parser = argparse.ArgumentParser() 7 | parser.add_argument("--output-format", "-o", dest="output_format", default=None, help="output_format") 8 | args = parser.parse_args() 9 | 10 | c = falco.Client(endpoint="unix:///var/run/falco.sock", output_format=args.output_format) 11 | 12 | for event in c.get(): 13 | print(event) 14 | -------------------------------------------------------------------------------- /examples/unixsocket_get_version.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | import falco 4 | 5 | if __name__ == "__main__": 6 | parser = argparse.ArgumentParser() 7 | parser.add_argument("--output-format", "-o", dest="output_format", default=None, help="output_format") 8 | args = parser.parse_args() 9 | 10 | c = falco.Client(endpoint="unix:///var/run/falco.sock", output_format=args.output_format) 11 | 12 | print(c.version()) 13 | -------------------------------------------------------------------------------- /examples/unixsocket_sub_events.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | 3 | import falco 4 | 5 | if __name__ == "__main__": 6 | parser = argparse.ArgumentParser() 7 | parser.add_argument("--output-format", "-o", dest="output_format", default=None, help="output_format") 8 | args = parser.parse_args() 9 | 10 | c = falco.Client(endpoint="unix:///var/run/falco.sock", output_format=args.output_format) 11 | 12 | for event in c.sub(): 13 | print(event) 14 | -------------------------------------------------------------------------------- /falco/__init__.py: -------------------------------------------------------------------------------- 1 | from falco.client import Client # noqa: F401 2 | from falco.domain.outputs import OutputsRequest, OutputsResponse # noqa: F401 3 | from falco.domain.version import VersionRequest, VersionResponse # noqa: F401 4 | -------------------------------------------------------------------------------- /falco/__version__.py: -------------------------------------------------------------------------------- 1 | __title__ = "falco" 2 | __description__ = "Python client and SDK for Falco." 3 | __url__ = "https://github.com/falcosecurity/client-py" 4 | __version__ = "0.4.0" 5 | __author__ = "The Falco Authors" 6 | __author_email__ = "cncf-falco-dev@lists.cncf.io" 7 | __license__ = "Apache 2.0" 8 | __copyright__ = "Copyright 2020 The Falco Authors" 9 | -------------------------------------------------------------------------------- /falco/client.py: -------------------------------------------------------------------------------- 1 | import grpc 2 | 3 | from falco.client_credentials import get_grpc_channel_credentials 4 | from falco.domain import OutputsRequest, OutputsResponse, VersionRequest, VersionResponse 5 | from falco.errors import InvalidFormat, TLSConfigError 6 | from falco.svc.outputs_pb2_grpc import serviceStub as outputsServiceStub 7 | from falco.svc.version_pb2_grpc import serviceStub as versionServiceStub 8 | 9 | 10 | class Client: 11 | def __init__(self, endpoint, client_crt=None, client_key=None, ca_root=None, output_format=None, *args, **kw): 12 | if endpoint.startswith("unix:///"): 13 | channel = grpc.insecure_channel(endpoint, options=[("grpc.max_receive_message_length", 1024 * 1024 * 512)],) 14 | 15 | else: 16 | if None in [client_crt, client_key, ca_root]: 17 | raise TLSConfigError( 18 | "must provide valid paths for all of the TLS data: client certificate, client key, and CA certificate" 19 | ) 20 | channel = grpc.secure_channel( 21 | endpoint, 22 | credentials=get_grpc_channel_credentials(client_crt, client_key, ca_root), 23 | options=[("grpc.max_receive_message_length", 1024 * 1024 * 512)], 24 | ) 25 | 26 | self._outputs_client = outputsServiceStub(channel) 27 | self._version_client = versionServiceStub(channel) 28 | self.output_format = output_format 29 | 30 | @property 31 | def output_format(self): 32 | return self._output_format 33 | 34 | @output_format.setter 35 | def output_format(self, o): 36 | if o and o not in OutputsResponse.SERIALIZERS: 37 | raise InvalidFormat("invalid output format") 38 | self._output_format = o 39 | 40 | def sub(self): 41 | responses = self._outputs_client.sub(OutputsRequest.generator(with_delay=0.1)) 42 | for pb_resp in responses: 43 | resp = OutputsResponse.from_proto(pb_resp) 44 | 45 | if self.output_format: 46 | yield getattr(resp, OutputsResponse.SERIALIZERS[self.output_format])() 47 | continue 48 | 49 | yield resp 50 | 51 | def get(self): 52 | responses = self._outputs_client.get(OutputsRequest().to_proto()) 53 | for pb_resp in responses: 54 | resp = OutputsResponse.from_proto(pb_resp) 55 | 56 | if self.output_format: 57 | yield getattr(resp, OutputsResponse.SERIALIZERS[self.output_format])() 58 | continue 59 | 60 | yield resp 61 | 62 | def version(self): 63 | req = VersionRequest().to_proto() 64 | resp = VersionResponse.from_proto(self._version_client.version(req)) 65 | 66 | if self.output_format: 67 | return getattr(resp, VersionResponse.SERIALIZERS[self.output_format])() 68 | 69 | return resp 70 | -------------------------------------------------------------------------------- /falco/client_credentials.py: -------------------------------------------------------------------------------- 1 | import grpc 2 | 3 | 4 | def load_file(filepath): 5 | with open(filepath, "rb") as f: 6 | return f.read() 7 | 8 | 9 | def get_grpc_channel_credentials(client_crt, client_key, ca_root): 10 | """Returns a ChannelCredentials object to use with the grpc channel 11 | 12 | https://grpc.github.io/grpc/python/grpc.html#create-client-credentials 13 | """ 14 | 15 | root_certificates = load_file(ca_root) 16 | private_key = load_file(client_key) 17 | certificate_chain = load_file(client_crt) 18 | 19 | return grpc.ssl_channel_credentials( 20 | root_certificates=root_certificates, private_key=private_key, certificate_chain=certificate_chain, 21 | ) 22 | -------------------------------------------------------------------------------- /falco/domain/__init__.py: -------------------------------------------------------------------------------- 1 | from falco.domain.outputs import OutputsRequest, OutputsResponse # noqa: F401 2 | from falco.domain.version import VersionRequest, VersionResponse # noqa: F401 3 | -------------------------------------------------------------------------------- /falco/domain/common.py: -------------------------------------------------------------------------------- 1 | from google.protobuf.timestamp_pb2 import Timestamp 2 | 3 | 4 | def pb_timestamp_from_datetime(dt): 5 | ts = Timestamp() 6 | ts.FromDatetime(dt) 7 | return ts 8 | -------------------------------------------------------------------------------- /falco/domain/outputs.py: -------------------------------------------------------------------------------- 1 | import json 2 | import time 3 | from datetime import datetime, timedelta 4 | from enum import Enum 5 | from typing import Dict, Optional 6 | 7 | from dateutil import tz 8 | 9 | from falco.domain.common import pb_timestamp_from_datetime 10 | from falco.schema.outputs_pb2 import request, response 11 | from falco.schema.schema_pb2 import priority, source 12 | 13 | 14 | class OutputsRequest: 15 | __slots__ = () 16 | 17 | @classmethod 18 | def from_proto(cls, pb_request): 19 | return cls() 20 | 21 | def to_proto(self): 22 | return request() 23 | 24 | @staticmethod 25 | def generator(with_delay: float = 0.0, run_for: Optional[timedelta] = None): 26 | started_at = datetime.utcnow() 27 | while True: 28 | yield OutputsRequest().to_proto() 29 | 30 | if run_for is not None: 31 | if datetime.utcnow() - started_at > run_for: 32 | return 33 | 34 | time.sleep(with_delay) 35 | 36 | 37 | class OutputsResponse: 38 | __slots__ = ( 39 | "time", 40 | "_priority", 41 | "_source", 42 | "rule", 43 | "output", 44 | "output_fields", 45 | "hostname", 46 | "tags", 47 | ) 48 | 49 | class Priority(Enum): 50 | EMERGENCY = "emergency" 51 | ALERT = "alert" 52 | CRITICAL = "critical" 53 | ERROR = "error" 54 | WARNING = "warning" 55 | NOTICE = "notice" 56 | INFORMATIONAL = "informational" 57 | DEBUG = "debug" 58 | 59 | PB_PRIORITY_TO_PRIORITY_MAP = { 60 | 0: Priority.EMERGENCY, 61 | 1: Priority.ALERT, 62 | 2: Priority.CRITICAL, 63 | 3: Priority.ERROR, 64 | 4: Priority.WARNING, 65 | 5: Priority.NOTICE, 66 | 6: Priority.INFORMATIONAL, 67 | 7: Priority.DEBUG, 68 | } 69 | 70 | class Source(Enum): 71 | SYSCALL = "syscall" 72 | K8S_AUDIT = "k8s_audit" 73 | INTERNAL = "internal" 74 | 75 | PB_SOURCE_TO_SOURCE_MAP = { 76 | 0: Source.SYSCALL, 77 | 1: Source.K8S_AUDIT, 78 | 2: Source.INTERNAL, 79 | } 80 | 81 | SERIALIZERS = {"json": "to_json"} 82 | 83 | def __init__( 84 | self, 85 | time=None, 86 | priority=None, 87 | source=None, 88 | rule=None, 89 | output=None, 90 | output_fields=None, 91 | hostname=None, 92 | tags=None, 93 | ): 94 | self.time: datetime = time.astimezone(tz.tzutc()) 95 | self.priority: OutputsResponse.Priority = priority 96 | self.source: OutputsResponse.Source = source 97 | self.rule: str = rule 98 | self.output: str = output 99 | self.output_fields: Dict = output_fields 100 | self.hostname: str = hostname 101 | self.tags: list = tags 102 | 103 | def __repr__(self): 104 | return f"{self.__class__.__name__}(time={self.time}, priority={self.priority}, source={self.source}, rule={self.rule}, output={self.output}, output_fields={self.output_fields}, hostname={self.hostname}, tags={self.tags})" 105 | 106 | @property 107 | def priority(self): 108 | return self._priority 109 | 110 | @priority.setter 111 | def priority(self, p): 112 | self._priority = None 113 | if p and isinstance(p, OutputsResponse.Priority): 114 | self._priority = p 115 | 116 | @property 117 | def source(self): 118 | return self._source 119 | 120 | @source.setter 121 | def source(self, s): 122 | self._source = None 123 | if s and isinstance(s, OutputsResponse.Source): 124 | self._source = s 125 | 126 | @classmethod 127 | def from_proto(cls, pb_response): 128 | timestamp_dt = datetime.fromtimestamp(pb_response.time.seconds + pb_response.time.nanos / 1e9) 129 | 130 | return cls( 131 | time=timestamp_dt, 132 | priority=OutputsResponse.PB_PRIORITY_TO_PRIORITY_MAP[pb_response.priority], 133 | source=OutputsResponse.PB_SOURCE_TO_SOURCE_MAP[pb_response.source], 134 | rule=pb_response.rule, 135 | output=pb_response.output, 136 | output_fields=dict(pb_response.output_fields), 137 | hostname=pb_response.hostname, 138 | tags=list(pb_response.tags), 139 | ) 140 | 141 | def to_proto(self): 142 | return response( 143 | time=pb_timestamp_from_datetime(self.time), 144 | priority=priority.Value(self.priority.value), 145 | source=source.Value(self.source.value), 146 | rule=self.rule, 147 | output=self.output, 148 | output_fields=self.output_fields, 149 | hostname=self.hostname, 150 | tags=self.tags, 151 | ) 152 | 153 | def to_json(self): 154 | return json.dumps( 155 | { 156 | "time": self.time.isoformat(), 157 | "priority": self.priority.value, 158 | "source": self.source.value, 159 | "rule": self.rule, 160 | "output": self.output, 161 | "output_fields": self.output_fields, 162 | "hostname": self.hostname, 163 | "tags": self.tags, 164 | } 165 | ) 166 | -------------------------------------------------------------------------------- /falco/domain/version.py: -------------------------------------------------------------------------------- 1 | import json 2 | 3 | from falco.schema.version_pb2 import request, response 4 | 5 | 6 | class VersionRequest: 7 | __slots__ = () 8 | 9 | @classmethod 10 | def from_proto(cls, pb_request): 11 | return cls() 12 | 13 | def to_proto(self): 14 | return request() 15 | 16 | 17 | class VersionResponse: 18 | __slots__ = ( 19 | "version", 20 | "major", 21 | "minor", 22 | "patch", 23 | "prerelease", 24 | "build", 25 | "engine_version", 26 | "engine_fields_checksum", 27 | ) 28 | 29 | SERIALIZERS = {"json": "to_json"} 30 | 31 | def __init__( 32 | self, 33 | version: str, 34 | major: int, 35 | minor: int, 36 | patch: int, 37 | prerelease: str, 38 | build: str, 39 | engine_version: int, 40 | engine_fields_checksum: str, 41 | ): 42 | self.version = version 43 | self.major = major 44 | self.minor = minor 45 | self.patch = patch 46 | self.prerelease = prerelease 47 | self.build = build 48 | self.engine_version = engine_version 49 | self.engine_fields_checksum = engine_fields_checksum 50 | 51 | def __repr__(self): 52 | return f"{self.__class__.__name__}(version={self.version}, major={self.major}, minor={self.minor}, patch={self.patch}, prerelease={self.prerelease}, build={self.build}, engine_version={self.engine_version}, engine_fields_checksum={self.engine_fields_checksum})" 53 | 54 | @classmethod 55 | def from_proto(cls, pb_response): 56 | return cls( 57 | version=pb_response.version, 58 | major=pb_response.major, 59 | minor=pb_response.minor, 60 | patch=pb_response.patch, 61 | prerelease=pb_response.prerelease, 62 | build=pb_response.build, 63 | engine_version=pb_response.engine_version, 64 | engine_fields_checksum=pb_response.engine_fields_checksum, 65 | ) 66 | 67 | def to_proto(self): 68 | return response( 69 | version=self.version, 70 | major=self.major, 71 | minor=self.minor, 72 | patch=self.patch, 73 | prerelease=self.prerelease, 74 | build=self.build, 75 | engine_version=self.engine_version, 76 | engine_fields_checksum=self.engine_fields_checksum, 77 | ) 78 | 79 | def to_json(self): 80 | return json.dumps( 81 | { 82 | "version": self.version, 83 | "major": self.major, 84 | "minor": self.minor, 85 | "patch": self.patch, 86 | "prerelease": self.prerelease, 87 | "build": self.build, 88 | "engine_version": self.engine_version, 89 | "engine_fields_checksum": self.engine_fields_checksum, 90 | } 91 | ) 92 | -------------------------------------------------------------------------------- /falco/errors.py: -------------------------------------------------------------------------------- 1 | class InvalidFormat(Exception): 2 | pass 3 | 4 | 5 | class TLSConfigError(Exception): 6 | pass 7 | -------------------------------------------------------------------------------- /falco/schema/__init__.py: -------------------------------------------------------------------------------- 1 | import os 2 | import sys 3 | 4 | sys.path.append(os.path.abspath(os.path.dirname(__file__))) 5 | -------------------------------------------------------------------------------- /falco/schema/outputs_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: outputs.proto 4 | 5 | import sys 6 | _b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1')) 7 | from google.protobuf import descriptor as _descriptor 8 | from google.protobuf import message as _message 9 | from google.protobuf import reflection as _reflection 10 | from google.protobuf import symbol_database as _symbol_database 11 | # @@protoc_insertion_point(imports) 12 | 13 | _sym_db = _symbol_database.Default() 14 | 15 | 16 | from google.protobuf import timestamp_pb2 as google_dot_protobuf_dot_timestamp__pb2 17 | import schema_pb2 as schema__pb2 18 | 19 | 20 | DESCRIPTOR = _descriptor.FileDescriptor( 21 | name='outputs.proto', 22 | package='falco.outputs', 23 | syntax='proto3', 24 | serialized_options=None, 25 | serialized_pb=_b('\n\routputs.proto\x12\rfalco.outputs\x1a\x1fgoogle/protobuf/timestamp.proto\x1a\x0cschema.proto\"\t\n\x07request\"\xb9\x02\n\x08response\x12(\n\x04time\x18\x01 \x01(\x0b\x32\x1a.google.protobuf.Timestamp\x12(\n\x08priority\x18\x02 \x01(\x0e\x32\x16.falco.schema.priority\x12$\n\x06source\x18\x03 \x01(\x0e\x32\x14.falco.schema.source\x12\x0c\n\x04rule\x18\x04 \x01(\t\x12\x0e\n\x06output\x18\x05 \x01(\t\x12@\n\routput_fields\x18\x06 \x03(\x0b\x32).falco.outputs.response.OutputFieldsEntry\x12\x10\n\x08hostname\x18\x07 \x01(\t\x12\x0c\n\x04tags\x18\x08 \x03(\t\x1a\x33\n\x11OutputFieldsEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\x32\x7f\n\x07service\x12:\n\x03sub\x12\x16.falco.outputs.request\x1a\x17.falco.outputs.response(\x01\x30\x01\x12\x38\n\x03get\x12\x16.falco.outputs.request\x1a\x17.falco.outputs.response0\x01\x62\x06proto3') 26 | , 27 | dependencies=[google_dot_protobuf_dot_timestamp__pb2.DESCRIPTOR,schema__pb2.DESCRIPTOR,]) 28 | 29 | 30 | 31 | 32 | _REQUEST = _descriptor.Descriptor( 33 | name='request', 34 | full_name='falco.outputs.request', 35 | filename=None, 36 | file=DESCRIPTOR, 37 | containing_type=None, 38 | fields=[ 39 | ], 40 | extensions=[ 41 | ], 42 | nested_types=[], 43 | enum_types=[ 44 | ], 45 | serialized_options=None, 46 | is_extendable=False, 47 | syntax='proto3', 48 | extension_ranges=[], 49 | oneofs=[ 50 | ], 51 | serialized_start=79, 52 | serialized_end=88, 53 | ) 54 | 55 | 56 | _RESPONSE_OUTPUTFIELDSENTRY = _descriptor.Descriptor( 57 | name='OutputFieldsEntry', 58 | full_name='falco.outputs.response.OutputFieldsEntry', 59 | filename=None, 60 | file=DESCRIPTOR, 61 | containing_type=None, 62 | fields=[ 63 | _descriptor.FieldDescriptor( 64 | name='key', full_name='falco.outputs.response.OutputFieldsEntry.key', index=0, 65 | number=1, type=9, cpp_type=9, label=1, 66 | has_default_value=False, default_value=_b("").decode('utf-8'), 67 | message_type=None, enum_type=None, containing_type=None, 68 | is_extension=False, extension_scope=None, 69 | serialized_options=None, file=DESCRIPTOR), 70 | _descriptor.FieldDescriptor( 71 | name='value', full_name='falco.outputs.response.OutputFieldsEntry.value', index=1, 72 | number=2, type=9, cpp_type=9, label=1, 73 | has_default_value=False, default_value=_b("").decode('utf-8'), 74 | message_type=None, enum_type=None, containing_type=None, 75 | is_extension=False, extension_scope=None, 76 | serialized_options=None, file=DESCRIPTOR), 77 | ], 78 | extensions=[ 79 | ], 80 | nested_types=[], 81 | enum_types=[ 82 | ], 83 | serialized_options=_b('8\001'), 84 | is_extendable=False, 85 | syntax='proto3', 86 | extension_ranges=[], 87 | oneofs=[ 88 | ], 89 | serialized_start=353, 90 | serialized_end=404, 91 | ) 92 | 93 | _RESPONSE = _descriptor.Descriptor( 94 | name='response', 95 | full_name='falco.outputs.response', 96 | filename=None, 97 | file=DESCRIPTOR, 98 | containing_type=None, 99 | fields=[ 100 | _descriptor.FieldDescriptor( 101 | name='time', full_name='falco.outputs.response.time', index=0, 102 | number=1, type=11, cpp_type=10, label=1, 103 | has_default_value=False, default_value=None, 104 | message_type=None, enum_type=None, containing_type=None, 105 | is_extension=False, extension_scope=None, 106 | serialized_options=None, file=DESCRIPTOR), 107 | _descriptor.FieldDescriptor( 108 | name='priority', full_name='falco.outputs.response.priority', index=1, 109 | number=2, type=14, cpp_type=8, label=1, 110 | has_default_value=False, default_value=0, 111 | message_type=None, enum_type=None, containing_type=None, 112 | is_extension=False, extension_scope=None, 113 | serialized_options=None, file=DESCRIPTOR), 114 | _descriptor.FieldDescriptor( 115 | name='source', full_name='falco.outputs.response.source', index=2, 116 | number=3, type=14, cpp_type=8, label=1, 117 | has_default_value=False, default_value=0, 118 | message_type=None, enum_type=None, containing_type=None, 119 | is_extension=False, extension_scope=None, 120 | serialized_options=None, file=DESCRIPTOR), 121 | _descriptor.FieldDescriptor( 122 | name='rule', full_name='falco.outputs.response.rule', index=3, 123 | number=4, type=9, cpp_type=9, label=1, 124 | has_default_value=False, default_value=_b("").decode('utf-8'), 125 | message_type=None, enum_type=None, containing_type=None, 126 | is_extension=False, extension_scope=None, 127 | serialized_options=None, file=DESCRIPTOR), 128 | _descriptor.FieldDescriptor( 129 | name='output', full_name='falco.outputs.response.output', index=4, 130 | number=5, type=9, cpp_type=9, label=1, 131 | has_default_value=False, default_value=_b("").decode('utf-8'), 132 | message_type=None, enum_type=None, containing_type=None, 133 | is_extension=False, extension_scope=None, 134 | serialized_options=None, file=DESCRIPTOR), 135 | _descriptor.FieldDescriptor( 136 | name='output_fields', full_name='falco.outputs.response.output_fields', index=5, 137 | number=6, type=11, cpp_type=10, label=3, 138 | has_default_value=False, default_value=[], 139 | message_type=None, enum_type=None, containing_type=None, 140 | is_extension=False, extension_scope=None, 141 | serialized_options=None, file=DESCRIPTOR), 142 | _descriptor.FieldDescriptor( 143 | name='hostname', full_name='falco.outputs.response.hostname', index=6, 144 | number=7, type=9, cpp_type=9, label=1, 145 | has_default_value=False, default_value=_b("").decode('utf-8'), 146 | message_type=None, enum_type=None, containing_type=None, 147 | is_extension=False, extension_scope=None, 148 | serialized_options=None, file=DESCRIPTOR), 149 | _descriptor.FieldDescriptor( 150 | name='tags', full_name='falco.outputs.response.tags', index=7, 151 | number=8, type=9, cpp_type=9, label=3, 152 | has_default_value=False, default_value=[], 153 | message_type=None, enum_type=None, containing_type=None, 154 | is_extension=False, extension_scope=None, 155 | serialized_options=None, file=DESCRIPTOR), 156 | ], 157 | extensions=[ 158 | ], 159 | nested_types=[_RESPONSE_OUTPUTFIELDSENTRY, ], 160 | enum_types=[ 161 | ], 162 | serialized_options=None, 163 | is_extendable=False, 164 | syntax='proto3', 165 | extension_ranges=[], 166 | oneofs=[ 167 | ], 168 | serialized_start=91, 169 | serialized_end=404, 170 | ) 171 | 172 | _RESPONSE_OUTPUTFIELDSENTRY.containing_type = _RESPONSE 173 | _RESPONSE.fields_by_name['time'].message_type = google_dot_protobuf_dot_timestamp__pb2._TIMESTAMP 174 | _RESPONSE.fields_by_name['priority'].enum_type = schema__pb2._PRIORITY 175 | _RESPONSE.fields_by_name['source'].enum_type = schema__pb2._SOURCE 176 | _RESPONSE.fields_by_name['output_fields'].message_type = _RESPONSE_OUTPUTFIELDSENTRY 177 | DESCRIPTOR.message_types_by_name['request'] = _REQUEST 178 | DESCRIPTOR.message_types_by_name['response'] = _RESPONSE 179 | _sym_db.RegisterFileDescriptor(DESCRIPTOR) 180 | 181 | request = _reflection.GeneratedProtocolMessageType('request', (_message.Message,), { 182 | 'DESCRIPTOR' : _REQUEST, 183 | '__module__' : 'outputs_pb2' 184 | # @@protoc_insertion_point(class_scope:falco.outputs.request) 185 | }) 186 | _sym_db.RegisterMessage(request) 187 | 188 | response = _reflection.GeneratedProtocolMessageType('response', (_message.Message,), { 189 | 190 | 'OutputFieldsEntry' : _reflection.GeneratedProtocolMessageType('OutputFieldsEntry', (_message.Message,), { 191 | 'DESCRIPTOR' : _RESPONSE_OUTPUTFIELDSENTRY, 192 | '__module__' : 'outputs_pb2' 193 | # @@protoc_insertion_point(class_scope:falco.outputs.response.OutputFieldsEntry) 194 | }) 195 | , 196 | 'DESCRIPTOR' : _RESPONSE, 197 | '__module__' : 'outputs_pb2' 198 | # @@protoc_insertion_point(class_scope:falco.outputs.response) 199 | }) 200 | _sym_db.RegisterMessage(response) 201 | _sym_db.RegisterMessage(response.OutputFieldsEntry) 202 | 203 | 204 | _RESPONSE_OUTPUTFIELDSENTRY._options = None 205 | 206 | _SERVICE = _descriptor.ServiceDescriptor( 207 | name='service', 208 | full_name='falco.outputs.service', 209 | file=DESCRIPTOR, 210 | index=0, 211 | serialized_options=None, 212 | serialized_start=406, 213 | serialized_end=533, 214 | methods=[ 215 | _descriptor.MethodDescriptor( 216 | name='sub', 217 | full_name='falco.outputs.service.sub', 218 | index=0, 219 | containing_service=None, 220 | input_type=_REQUEST, 221 | output_type=_RESPONSE, 222 | serialized_options=None, 223 | ), 224 | _descriptor.MethodDescriptor( 225 | name='get', 226 | full_name='falco.outputs.service.get', 227 | index=1, 228 | containing_service=None, 229 | input_type=_REQUEST, 230 | output_type=_RESPONSE, 231 | serialized_options=None, 232 | ), 233 | ]) 234 | _sym_db.RegisterServiceDescriptor(_SERVICE) 235 | 236 | DESCRIPTOR.services_by_name['service'] = _SERVICE 237 | 238 | # @@protoc_insertion_point(module_scope) 239 | -------------------------------------------------------------------------------- /falco/schema/schema_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: schema.proto 4 | 5 | import sys 6 | _b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1')) 7 | from google.protobuf.internal import enum_type_wrapper 8 | from google.protobuf import descriptor as _descriptor 9 | from google.protobuf import message as _message 10 | from google.protobuf import reflection as _reflection 11 | from google.protobuf import symbol_database as _symbol_database 12 | # @@protoc_insertion_point(imports) 13 | 14 | _sym_db = _symbol_database.Default() 15 | 16 | 17 | 18 | 19 | DESCRIPTOR = _descriptor.FileDescriptor( 20 | name='schema.proto', 21 | package='falco.schema', 22 | syntax='proto3', 23 | serialized_options=None, 24 | serialized_pb=_b('\n\x0cschema.proto\x12\x0c\x66\x61lco.schema*\xcc\x02\n\x08priority\x12\r\n\tEMERGENCY\x10\x00\x12\r\n\temergency\x10\x00\x12\r\n\tEmergency\x10\x00\x12\t\n\x05\x41LERT\x10\x01\x12\t\n\x05\x61lert\x10\x01\x12\t\n\x05\x41lert\x10\x01\x12\x0c\n\x08\x43RITICAL\x10\x02\x12\x0c\n\x08\x63ritical\x10\x02\x12\x0c\n\x08\x43ritical\x10\x02\x12\t\n\x05\x45RROR\x10\x03\x12\t\n\x05\x65rror\x10\x03\x12\t\n\x05\x45rror\x10\x03\x12\x0b\n\x07WARNING\x10\x04\x12\x0b\n\x07warning\x10\x04\x12\x0b\n\x07Warning\x10\x04\x12\n\n\x06NOTICE\x10\x05\x12\n\n\x06notice\x10\x05\x12\n\n\x06Notice\x10\x05\x12\x11\n\rINFORMATIONAL\x10\x06\x12\x11\n\rinformational\x10\x06\x12\x11\n\rInformational\x10\x06\x12\t\n\x05\x44\x45\x42UG\x10\x07\x12\t\n\x05\x64\x65\x62ug\x10\x07\x12\t\n\x05\x44\x65\x62ug\x10\x07\x1a\x02\x10\x01*\x99\x01\n\x06source\x12\x0b\n\x07SYSCALL\x10\x00\x12\x0b\n\x07syscall\x10\x00\x12\x0b\n\x07Syscall\x10\x00\x12\r\n\tK8S_AUDIT\x10\x01\x12\r\n\tk8s_audit\x10\x01\x12\r\n\tK8s_audit\x10\x01\x12\r\n\tK8S_audit\x10\x01\x12\x0c\n\x08INTERNAL\x10\x02\x12\x0c\n\x08internal\x10\x02\x12\x0c\n\x08Internal\x10\x02\x1a\x02\x10\x01\x62\x06proto3') 25 | ) 26 | 27 | _PRIORITY = _descriptor.EnumDescriptor( 28 | name='priority', 29 | full_name='falco.schema.priority', 30 | filename=None, 31 | file=DESCRIPTOR, 32 | values=[ 33 | _descriptor.EnumValueDescriptor( 34 | name='EMERGENCY', index=0, number=0, 35 | serialized_options=None, 36 | type=None), 37 | _descriptor.EnumValueDescriptor( 38 | name='emergency', index=1, number=0, 39 | serialized_options=None, 40 | type=None), 41 | _descriptor.EnumValueDescriptor( 42 | name='Emergency', index=2, number=0, 43 | serialized_options=None, 44 | type=None), 45 | _descriptor.EnumValueDescriptor( 46 | name='ALERT', index=3, number=1, 47 | serialized_options=None, 48 | type=None), 49 | _descriptor.EnumValueDescriptor( 50 | name='alert', index=4, number=1, 51 | serialized_options=None, 52 | type=None), 53 | _descriptor.EnumValueDescriptor( 54 | name='Alert', index=5, number=1, 55 | serialized_options=None, 56 | type=None), 57 | _descriptor.EnumValueDescriptor( 58 | name='CRITICAL', index=6, number=2, 59 | serialized_options=None, 60 | type=None), 61 | _descriptor.EnumValueDescriptor( 62 | name='critical', index=7, number=2, 63 | serialized_options=None, 64 | type=None), 65 | _descriptor.EnumValueDescriptor( 66 | name='Critical', index=8, number=2, 67 | serialized_options=None, 68 | type=None), 69 | _descriptor.EnumValueDescriptor( 70 | name='ERROR', index=9, number=3, 71 | serialized_options=None, 72 | type=None), 73 | _descriptor.EnumValueDescriptor( 74 | name='error', index=10, number=3, 75 | serialized_options=None, 76 | type=None), 77 | _descriptor.EnumValueDescriptor( 78 | name='Error', index=11, number=3, 79 | serialized_options=None, 80 | type=None), 81 | _descriptor.EnumValueDescriptor( 82 | name='WARNING', index=12, number=4, 83 | serialized_options=None, 84 | type=None), 85 | _descriptor.EnumValueDescriptor( 86 | name='warning', index=13, number=4, 87 | serialized_options=None, 88 | type=None), 89 | _descriptor.EnumValueDescriptor( 90 | name='Warning', index=14, number=4, 91 | serialized_options=None, 92 | type=None), 93 | _descriptor.EnumValueDescriptor( 94 | name='NOTICE', index=15, number=5, 95 | serialized_options=None, 96 | type=None), 97 | _descriptor.EnumValueDescriptor( 98 | name='notice', index=16, number=5, 99 | serialized_options=None, 100 | type=None), 101 | _descriptor.EnumValueDescriptor( 102 | name='Notice', index=17, number=5, 103 | serialized_options=None, 104 | type=None), 105 | _descriptor.EnumValueDescriptor( 106 | name='INFORMATIONAL', index=18, number=6, 107 | serialized_options=None, 108 | type=None), 109 | _descriptor.EnumValueDescriptor( 110 | name='informational', index=19, number=6, 111 | serialized_options=None, 112 | type=None), 113 | _descriptor.EnumValueDescriptor( 114 | name='Informational', index=20, number=6, 115 | serialized_options=None, 116 | type=None), 117 | _descriptor.EnumValueDescriptor( 118 | name='DEBUG', index=21, number=7, 119 | serialized_options=None, 120 | type=None), 121 | _descriptor.EnumValueDescriptor( 122 | name='debug', index=22, number=7, 123 | serialized_options=None, 124 | type=None), 125 | _descriptor.EnumValueDescriptor( 126 | name='Debug', index=23, number=7, 127 | serialized_options=None, 128 | type=None), 129 | ], 130 | containing_type=None, 131 | serialized_options=_b('\020\001'), 132 | serialized_start=31, 133 | serialized_end=363, 134 | ) 135 | _sym_db.RegisterEnumDescriptor(_PRIORITY) 136 | 137 | priority = enum_type_wrapper.EnumTypeWrapper(_PRIORITY) 138 | _SOURCE = _descriptor.EnumDescriptor( 139 | name='source', 140 | full_name='falco.schema.source', 141 | filename=None, 142 | file=DESCRIPTOR, 143 | values=[ 144 | _descriptor.EnumValueDescriptor( 145 | name='SYSCALL', index=0, number=0, 146 | serialized_options=None, 147 | type=None), 148 | _descriptor.EnumValueDescriptor( 149 | name='syscall', index=1, number=0, 150 | serialized_options=None, 151 | type=None), 152 | _descriptor.EnumValueDescriptor( 153 | name='Syscall', index=2, number=0, 154 | serialized_options=None, 155 | type=None), 156 | _descriptor.EnumValueDescriptor( 157 | name='K8S_AUDIT', index=3, number=1, 158 | serialized_options=None, 159 | type=None), 160 | _descriptor.EnumValueDescriptor( 161 | name='k8s_audit', index=4, number=1, 162 | serialized_options=None, 163 | type=None), 164 | _descriptor.EnumValueDescriptor( 165 | name='K8s_audit', index=5, number=1, 166 | serialized_options=None, 167 | type=None), 168 | _descriptor.EnumValueDescriptor( 169 | name='K8S_audit', index=6, number=1, 170 | serialized_options=None, 171 | type=None), 172 | _descriptor.EnumValueDescriptor( 173 | name='INTERNAL', index=7, number=2, 174 | serialized_options=None, 175 | type=None), 176 | _descriptor.EnumValueDescriptor( 177 | name='internal', index=8, number=2, 178 | serialized_options=None, 179 | type=None), 180 | _descriptor.EnumValueDescriptor( 181 | name='Internal', index=9, number=2, 182 | serialized_options=None, 183 | type=None), 184 | ], 185 | containing_type=None, 186 | serialized_options=_b('\020\001'), 187 | serialized_start=366, 188 | serialized_end=519, 189 | ) 190 | _sym_db.RegisterEnumDescriptor(_SOURCE) 191 | 192 | source = enum_type_wrapper.EnumTypeWrapper(_SOURCE) 193 | EMERGENCY = 0 194 | emergency = 0 195 | Emergency = 0 196 | ALERT = 1 197 | alert = 1 198 | Alert = 1 199 | CRITICAL = 2 200 | critical = 2 201 | Critical = 2 202 | ERROR = 3 203 | error = 3 204 | Error = 3 205 | WARNING = 4 206 | warning = 4 207 | Warning = 4 208 | NOTICE = 5 209 | notice = 5 210 | Notice = 5 211 | INFORMATIONAL = 6 212 | informational = 6 213 | Informational = 6 214 | DEBUG = 7 215 | debug = 7 216 | Debug = 7 217 | SYSCALL = 0 218 | syscall = 0 219 | Syscall = 0 220 | K8S_AUDIT = 1 221 | k8s_audit = 1 222 | K8s_audit = 1 223 | K8S_audit = 1 224 | INTERNAL = 2 225 | internal = 2 226 | Internal = 2 227 | 228 | 229 | DESCRIPTOR.enum_types_by_name['priority'] = _PRIORITY 230 | DESCRIPTOR.enum_types_by_name['source'] = _SOURCE 231 | _sym_db.RegisterFileDescriptor(DESCRIPTOR) 232 | 233 | 234 | _PRIORITY._options = None 235 | _SOURCE._options = None 236 | # @@protoc_insertion_point(module_scope) 237 | -------------------------------------------------------------------------------- /falco/schema/version_pb2.py: -------------------------------------------------------------------------------- 1 | # -*- coding: utf-8 -*- 2 | # Generated by the protocol buffer compiler. DO NOT EDIT! 3 | # source: version.proto 4 | 5 | import sys 6 | _b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1')) 7 | from google.protobuf import descriptor as _descriptor 8 | from google.protobuf import message as _message 9 | from google.protobuf import reflection as _reflection 10 | from google.protobuf import symbol_database as _symbol_database 11 | # @@protoc_insertion_point(imports) 12 | 13 | _sym_db = _symbol_database.Default() 14 | 15 | 16 | 17 | 18 | DESCRIPTOR = _descriptor.FileDescriptor( 19 | name='version.proto', 20 | package='falco.version', 21 | syntax='proto3', 22 | serialized_options=None, 23 | serialized_pb=_b('\n\rversion.proto\x12\rfalco.version\"\t\n\x07request\"\xa3\x01\n\x08response\x12\x0f\n\x07version\x18\x01 \x01(\t\x12\r\n\x05major\x18\x02 \x01(\r\x12\r\n\x05minor\x18\x03 \x01(\r\x12\r\n\x05patch\x18\x04 \x01(\r\x12\x12\n\nprerelease\x18\x05 \x01(\t\x12\r\n\x05\x62uild\x18\x06 \x01(\t\x12\x16\n\x0e\x65ngine_version\x18\x07 \x01(\r\x12\x1e\n\x16\x65ngine_fields_checksum\x18\x08 \x01(\t2E\n\x07service\x12:\n\x07version\x12\x16.falco.version.request\x1a\x17.falco.version.responseb\x06proto3') 24 | ) 25 | 26 | 27 | 28 | 29 | _REQUEST = _descriptor.Descriptor( 30 | name='request', 31 | full_name='falco.version.request', 32 | filename=None, 33 | file=DESCRIPTOR, 34 | containing_type=None, 35 | fields=[ 36 | ], 37 | extensions=[ 38 | ], 39 | nested_types=[], 40 | enum_types=[ 41 | ], 42 | serialized_options=None, 43 | is_extendable=False, 44 | syntax='proto3', 45 | extension_ranges=[], 46 | oneofs=[ 47 | ], 48 | serialized_start=32, 49 | serialized_end=41, 50 | ) 51 | 52 | 53 | _RESPONSE = _descriptor.Descriptor( 54 | name='response', 55 | full_name='falco.version.response', 56 | filename=None, 57 | file=DESCRIPTOR, 58 | containing_type=None, 59 | fields=[ 60 | _descriptor.FieldDescriptor( 61 | name='version', full_name='falco.version.response.version', index=0, 62 | number=1, type=9, cpp_type=9, label=1, 63 | has_default_value=False, default_value=_b("").decode('utf-8'), 64 | message_type=None, enum_type=None, containing_type=None, 65 | is_extension=False, extension_scope=None, 66 | serialized_options=None, file=DESCRIPTOR), 67 | _descriptor.FieldDescriptor( 68 | name='major', full_name='falco.version.response.major', index=1, 69 | number=2, type=13, cpp_type=3, label=1, 70 | has_default_value=False, default_value=0, 71 | message_type=None, enum_type=None, containing_type=None, 72 | is_extension=False, extension_scope=None, 73 | serialized_options=None, file=DESCRIPTOR), 74 | _descriptor.FieldDescriptor( 75 | name='minor', full_name='falco.version.response.minor', index=2, 76 | number=3, type=13, cpp_type=3, label=1, 77 | has_default_value=False, default_value=0, 78 | message_type=None, enum_type=None, containing_type=None, 79 | is_extension=False, extension_scope=None, 80 | serialized_options=None, file=DESCRIPTOR), 81 | _descriptor.FieldDescriptor( 82 | name='patch', full_name='falco.version.response.patch', index=3, 83 | number=4, type=13, cpp_type=3, label=1, 84 | has_default_value=False, default_value=0, 85 | message_type=None, enum_type=None, containing_type=None, 86 | is_extension=False, extension_scope=None, 87 | serialized_options=None, file=DESCRIPTOR), 88 | _descriptor.FieldDescriptor( 89 | name='prerelease', full_name='falco.version.response.prerelease', index=4, 90 | number=5, type=9, cpp_type=9, label=1, 91 | has_default_value=False, default_value=_b("").decode('utf-8'), 92 | message_type=None, enum_type=None, containing_type=None, 93 | is_extension=False, extension_scope=None, 94 | serialized_options=None, file=DESCRIPTOR), 95 | _descriptor.FieldDescriptor( 96 | name='build', full_name='falco.version.response.build', index=5, 97 | number=6, type=9, cpp_type=9, label=1, 98 | has_default_value=False, default_value=_b("").decode('utf-8'), 99 | message_type=None, enum_type=None, containing_type=None, 100 | is_extension=False, extension_scope=None, 101 | serialized_options=None, file=DESCRIPTOR), 102 | _descriptor.FieldDescriptor( 103 | name='engine_version', full_name='falco.version.response.engine_version', index=6, 104 | number=7, type=13, cpp_type=3, label=1, 105 | has_default_value=False, default_value=0, 106 | message_type=None, enum_type=None, containing_type=None, 107 | is_extension=False, extension_scope=None, 108 | serialized_options=None, file=DESCRIPTOR), 109 | _descriptor.FieldDescriptor( 110 | name='engine_fields_checksum', full_name='falco.version.response.engine_fields_checksum', index=7, 111 | number=8, type=9, cpp_type=9, label=1, 112 | has_default_value=False, default_value=_b("").decode('utf-8'), 113 | message_type=None, enum_type=None, containing_type=None, 114 | is_extension=False, extension_scope=None, 115 | serialized_options=None, file=DESCRIPTOR), 116 | ], 117 | extensions=[ 118 | ], 119 | nested_types=[], 120 | enum_types=[ 121 | ], 122 | serialized_options=None, 123 | is_extendable=False, 124 | syntax='proto3', 125 | extension_ranges=[], 126 | oneofs=[ 127 | ], 128 | serialized_start=44, 129 | serialized_end=207, 130 | ) 131 | 132 | DESCRIPTOR.message_types_by_name['request'] = _REQUEST 133 | DESCRIPTOR.message_types_by_name['response'] = _RESPONSE 134 | _sym_db.RegisterFileDescriptor(DESCRIPTOR) 135 | 136 | request = _reflection.GeneratedProtocolMessageType('request', (_message.Message,), { 137 | 'DESCRIPTOR' : _REQUEST, 138 | '__module__' : 'version_pb2' 139 | # @@protoc_insertion_point(class_scope:falco.version.request) 140 | }) 141 | _sym_db.RegisterMessage(request) 142 | 143 | response = _reflection.GeneratedProtocolMessageType('response', (_message.Message,), { 144 | 'DESCRIPTOR' : _RESPONSE, 145 | '__module__' : 'version_pb2' 146 | # @@protoc_insertion_point(class_scope:falco.version.response) 147 | }) 148 | _sym_db.RegisterMessage(response) 149 | 150 | 151 | 152 | _SERVICE = _descriptor.ServiceDescriptor( 153 | name='service', 154 | full_name='falco.version.service', 155 | file=DESCRIPTOR, 156 | index=0, 157 | serialized_options=None, 158 | serialized_start=209, 159 | serialized_end=278, 160 | methods=[ 161 | _descriptor.MethodDescriptor( 162 | name='version', 163 | full_name='falco.version.service.version', 164 | index=0, 165 | containing_service=None, 166 | input_type=_REQUEST, 167 | output_type=_RESPONSE, 168 | serialized_options=None, 169 | ), 170 | ]) 171 | _sym_db.RegisterServiceDescriptor(_SERVICE) 172 | 173 | DESCRIPTOR.services_by_name['service'] = _SERVICE 174 | 175 | # @@protoc_insertion_point(module_scope) 176 | -------------------------------------------------------------------------------- /falco/svc/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/falcosecurity/client-py/752c3679830a449bc4228b548446a9e849fec3e4/falco/svc/__init__.py -------------------------------------------------------------------------------- /falco/svc/outputs_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | import grpc 3 | 4 | import outputs_pb2 as outputs__pb2 5 | 6 | 7 | class serviceStub(object): 8 | """This service defines the RPC methods 9 | to `request` a stream of output `response`s. 10 | """ 11 | 12 | def __init__(self, channel): 13 | """Constructor. 14 | 15 | Args: 16 | channel: A grpc.Channel. 17 | """ 18 | self.sub = channel.stream_stream( 19 | '/falco.outputs.service/sub', 20 | request_serializer=outputs__pb2.request.SerializeToString, 21 | response_deserializer=outputs__pb2.response.FromString, 22 | ) 23 | self.get = channel.unary_stream( 24 | '/falco.outputs.service/get', 25 | request_serializer=outputs__pb2.request.SerializeToString, 26 | response_deserializer=outputs__pb2.response.FromString, 27 | ) 28 | 29 | 30 | class serviceServicer(object): 31 | """This service defines the RPC methods 32 | to `request` a stream of output `response`s. 33 | """ 34 | 35 | def sub(self, request_iterator, context): 36 | """Subscribe to a stream of Falco outputs by sending a stream of requests. 37 | """ 38 | context.set_code(grpc.StatusCode.UNIMPLEMENTED) 39 | context.set_details('Method not implemented!') 40 | raise NotImplementedError('Method not implemented!') 41 | 42 | def get(self, request, context): 43 | """Get all the Falco outputs present in the system up to this call. 44 | """ 45 | context.set_code(grpc.StatusCode.UNIMPLEMENTED) 46 | context.set_details('Method not implemented!') 47 | raise NotImplementedError('Method not implemented!') 48 | 49 | 50 | def add_serviceServicer_to_server(servicer, server): 51 | rpc_method_handlers = { 52 | 'sub': grpc.stream_stream_rpc_method_handler( 53 | servicer.sub, 54 | request_deserializer=outputs__pb2.request.FromString, 55 | response_serializer=outputs__pb2.response.SerializeToString, 56 | ), 57 | 'get': grpc.unary_stream_rpc_method_handler( 58 | servicer.get, 59 | request_deserializer=outputs__pb2.request.FromString, 60 | response_serializer=outputs__pb2.response.SerializeToString, 61 | ), 62 | } 63 | generic_handler = grpc.method_handlers_generic_handler( 64 | 'falco.outputs.service', rpc_method_handlers) 65 | server.add_generic_rpc_handlers((generic_handler,)) 66 | -------------------------------------------------------------------------------- /falco/svc/schema_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | import grpc 3 | 4 | -------------------------------------------------------------------------------- /falco/svc/version_pb2_grpc.py: -------------------------------------------------------------------------------- 1 | # Generated by the gRPC Python protocol compiler plugin. DO NOT EDIT! 2 | import grpc 3 | 4 | import version_pb2 as version__pb2 5 | 6 | 7 | class serviceStub(object): 8 | """This service defines a RPC call 9 | to request the Falco version. 10 | """ 11 | 12 | def __init__(self, channel): 13 | """Constructor. 14 | 15 | Args: 16 | channel: A grpc.Channel. 17 | """ 18 | self.version = channel.unary_unary( 19 | '/falco.version.service/version', 20 | request_serializer=version__pb2.request.SerializeToString, 21 | response_deserializer=version__pb2.response.FromString, 22 | ) 23 | 24 | 25 | class serviceServicer(object): 26 | """This service defines a RPC call 27 | to request the Falco version. 28 | """ 29 | 30 | def version(self, request, context): 31 | # missing associated documentation comment in .proto file 32 | pass 33 | context.set_code(grpc.StatusCode.UNIMPLEMENTED) 34 | context.set_details('Method not implemented!') 35 | raise NotImplementedError('Method not implemented!') 36 | 37 | 38 | def add_serviceServicer_to_server(servicer, server): 39 | rpc_method_handlers = { 40 | 'version': grpc.unary_unary_rpc_method_handler( 41 | servicer.version, 42 | request_deserializer=version__pb2.request.FromString, 43 | response_serializer=version__pb2.response.SerializeToString, 44 | ), 45 | } 46 | generic_handler = grpc.method_handlers_generic_handler( 47 | 'falco.version.service', rpc_method_handlers) 48 | server.add_generic_rpc_handlers((generic_handler,)) 49 | -------------------------------------------------------------------------------- /protos/outputs.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 2020 The Falco Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | syntax = "proto3"; 18 | 19 | import "google/protobuf/timestamp.proto"; 20 | import "schema.proto"; 21 | 22 | package falco.outputs; 23 | 24 | 25 | // This service defines the RPC methods 26 | // to `request` a stream of output `response`s. 27 | service service { 28 | // Subscribe to a stream of Falco outputs by sending a stream of requests. 29 | rpc sub(stream request) returns (stream response); 30 | // Get all the Falco outputs present in the system up to this call. 31 | rpc get(request) returns (stream response); 32 | } 33 | 34 | // The `request` message is the logical representation of the request model. 35 | // It is the input of the `output.service` service. 36 | message request { 37 | // TODO(leodido,fntlnz): tags not supported yet, keeping it for reference. 38 | // repeated string tags = 1; 39 | } 40 | 41 | // The `response` message is the representation of the output model. 42 | // It contains all the elements that Falco emits in an output along with the 43 | // definitions for priorities and source. 44 | message response { 45 | google.protobuf.Timestamp time = 1; 46 | falco.schema.priority priority = 2; 47 | falco.schema.source source = 3; 48 | string rule = 4; 49 | string output = 5; 50 | map output_fields = 6; 51 | string hostname = 7; 52 | repeated string tags = 8; 53 | } -------------------------------------------------------------------------------- /protos/schema.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 2020 The Falco Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | syntax = "proto3"; 18 | 19 | package falco.schema; 20 | 21 | 22 | enum priority { 23 | option allow_alias = true; 24 | EMERGENCY = 0; 25 | emergency = 0; 26 | Emergency = 0; 27 | ALERT = 1; 28 | alert = 1; 29 | Alert = 1; 30 | CRITICAL = 2; 31 | critical = 2; 32 | Critical = 2; 33 | ERROR = 3; 34 | error = 3; 35 | Error = 3; 36 | WARNING = 4; 37 | warning = 4; 38 | Warning = 4; 39 | NOTICE = 5; 40 | notice = 5; 41 | Notice = 5; 42 | INFORMATIONAL = 6; 43 | informational = 6; 44 | Informational = 6; 45 | DEBUG = 7; 46 | debug = 7; 47 | Debug = 7; 48 | } 49 | 50 | enum source { 51 | option allow_alias = true; 52 | SYSCALL = 0; 53 | syscall = 0; 54 | Syscall = 0; 55 | K8S_AUDIT = 1; 56 | k8s_audit = 1; 57 | K8s_audit = 1; 58 | K8S_audit = 1; 59 | INTERNAL = 2; 60 | internal = 2; 61 | Internal = 2; 62 | } 63 | -------------------------------------------------------------------------------- /protos/version.proto: -------------------------------------------------------------------------------- 1 | /* 2 | Copyright (C) 2020 The Falco Authors. 3 | 4 | Licensed under the Apache License, Version 2.0 (the "License"); 5 | you may not use this file except in compliance with the License. 6 | You may obtain a copy of the License at 7 | 8 | http://www.apache.org/licenses/LICENSE-2.0 9 | 10 | Unless required by applicable law or agreed to in writing, software 11 | distributed under the License is distributed on an "AS IS" BASIS, 12 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 | See the License for the specific language governing permissions and 14 | limitations under the License. 15 | */ 16 | 17 | syntax = "proto3"; 18 | 19 | package falco.version; 20 | 21 | 22 | // This service defines a RPC call 23 | // to request the Falco version. 24 | service service { 25 | rpc version(request) returns (response); 26 | } 27 | 28 | // The `request` message is an empty one. 29 | message request 30 | { 31 | } 32 | 33 | // The `response` message contains the version of Falco. 34 | // It provides the whole version as a string and also 35 | // its parts as per semver 2.0 specification (https://semver.org). 36 | message response 37 | { 38 | // falco version 39 | string version = 1; 40 | uint32 major = 2; 41 | uint32 minor = 3; 42 | uint32 patch = 4; 43 | string prerelease = 5; 44 | string build = 6; 45 | // falco engine version 46 | uint32 engine_version = 7; 47 | string engine_fields_checksum = 8; 48 | } 49 | -------------------------------------------------------------------------------- /pyproject.toml: -------------------------------------------------------------------------------- 1 | [tool.black] 2 | line-length = 120 3 | target-version = ['py38'] 4 | include = '\.pyi?$' 5 | exclude = ''' 6 | 7 | ( 8 | /( 9 | \.eggs # exclude a few common directories in the 10 | | \.git # root of the project 11 | | \.hg 12 | | \.mypy_cache 13 | | \.tox 14 | | \.venv 15 | | _build 16 | | buck-out 17 | | build 18 | | dist 19 | | proto 20 | )/ 21 | | foo.py # also separately exclude a file named foo.py in 22 | # the root of the project 23 | | outputs_pb2_grpc.py 24 | | outputs_pb2.py 25 | | schema_pb2_grpc.py 26 | | schema_pb2.py 27 | | version_pb2_grpc.py 28 | | version_pb2.py 29 | ) 30 | ''' 31 | -------------------------------------------------------------------------------- /requirements-dev.txt: -------------------------------------------------------------------------------- 1 | -r requirements.txt 2 | 3 | pytest==5.3.5 4 | black==19.10b0 5 | isort==4.3.21 6 | grpcio-tools==1.26.0 7 | flake8==3.7.9 8 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | grpcio==1.26.0 2 | python-dateutil==2.8.1 3 | protobuf==3.12.2 4 | -------------------------------------------------------------------------------- /setup.cfg: -------------------------------------------------------------------------------- 1 | [flake8] 2 | ignore = E501 3 | exclude = 4 | proto 5 | outputs_pb2_grpc.py 6 | outputs_pb2.py 7 | version_pb2_grpc.py 8 | version_pb2.py 9 | schema_pb2_grpc.py 10 | schema_pb2.py 11 | 12 | [isort] 13 | line_length = 120 14 | multi_line_output = 3 15 | balanced_wrapping = true 16 | skip = 17 | proto 18 | outputs_pb2_grpc.py 19 | outputs_pb2.py 20 | schema_pb2_grpc.py 21 | schema_pb2.py 22 | version_pb2_grpc.py 23 | version_pb2.py 24 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | import os 2 | 3 | import setuptools 4 | from setuptools import setup 5 | 6 | here = os.path.abspath(os.path.dirname(__file__)) 7 | 8 | 9 | about = {} 10 | with open(os.path.join(here, "falco", "__version__.py"), "r") as f: 11 | exec(f.read(), about) 12 | 13 | requires = ["grpcio==1.26.0", "python-dateutil==2.8.1", "protobuf==3.12.2"] 14 | tests_require = ["pytest==5.3.5"] 15 | 16 | with open("README.md", "r") as f: 17 | readme = f.read() 18 | 19 | setup( 20 | name=about["__title__"], 21 | version=about["__version__"], 22 | description=about["__description__"], 23 | long_description=readme, 24 | long_description_content_type="text/markdown", 25 | author=about["__author__"], 26 | author_email=about["__author_email__"], 27 | url=about["__url__"], 28 | packages=setuptools.find_packages(), 29 | python_requires=">=3.6", 30 | install_requires=requires, 31 | license=about["__license__"], 32 | zip_safe=False, 33 | classifiers=[ 34 | "Development Status :: 3 - Alpha", 35 | "License :: OSI Approved :: Apache Software License", 36 | "Programming Language :: Python", 37 | "Programming Language :: Python :: 3", 38 | "Programming Language :: Python :: 3.6", 39 | "Programming Language :: Python :: 3.7", 40 | "Programming Language :: Python :: 3.8", 41 | "Programming Language :: Python :: Implementation :: CPython", 42 | "Programming Language :: Python :: Implementation :: PyPy", 43 | ], 44 | tests_require=tests_require, 45 | ) 46 | -------------------------------------------------------------------------------- /tests/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/falcosecurity/client-py/752c3679830a449bc4228b548446a9e849fec3e4/tests/__init__.py -------------------------------------------------------------------------------- /tests/conftest.py: -------------------------------------------------------------------------------- 1 | from datetime import datetime 2 | 3 | import pytest 4 | from dateutil import tz 5 | 6 | from falco import OutputsRequest, OutputsResponse, VersionRequest, VersionResponse 7 | 8 | 9 | @pytest.fixture 10 | def outputs_request(): 11 | return OutputsRequest() 12 | 13 | 14 | @pytest.fixture 15 | def outputs_response(): 16 | return OutputsResponse( 17 | time=datetime(2020, 1, 1, 22, 55, 59, 300000, tz.UTC), 18 | priority=OutputsResponse.Priority.CRITICAL, 19 | source=OutputsResponse.Source.K8S_AUDIT, 20 | rule="rule", 21 | output="output", 22 | output_fields={"a": "b"}, 23 | hostname="hostname", 24 | tags=["test"], 25 | ) 26 | 27 | 28 | @pytest.fixture 29 | def version_request(): 30 | return VersionRequest() 31 | 32 | 33 | @pytest.fixture 34 | def version_response(): 35 | return VersionResponse( 36 | version="123456", 37 | major=1, 38 | minor=2, 39 | patch=3, 40 | prerelease="654321", 41 | build="1337", 42 | engine_version=1, 43 | engine_fields_checksum="12345678", 44 | ) 45 | -------------------------------------------------------------------------------- /tests/domain/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/falcosecurity/client-py/752c3679830a449bc4228b548446a9e849fec3e4/tests/domain/__init__.py -------------------------------------------------------------------------------- /tests/domain/test_outputs.py: -------------------------------------------------------------------------------- 1 | import json 2 | from datetime import timedelta 3 | 4 | from falco import OutputsRequest, OutputsResponse 5 | 6 | 7 | class TestOutputsRequest: 8 | def test_encode_and_decode(self, outputs_request): 9 | # Note: this class is empty but the test will still be valid after a schema change 10 | processed = OutputsRequest.from_proto(outputs_request.to_proto()) 11 | for field in OutputsRequest.__slots__: 12 | assert getattr(outputs_request, field) == getattr(processed, field) 13 | 14 | def test_generator(self): 15 | requests = OutputsRequest.generator(with_delay=0.2, run_for=timedelta(seconds=1)) 16 | result_len = len(list(requests)) 17 | assert result_len >= 2 and result_len <= 6 18 | 19 | 20 | class TestOutputsResponse: 21 | def test_encode_and_decode(self, outputs_response): 22 | processed = OutputsResponse.from_proto(outputs_response.to_proto()) 23 | for field in OutputsResponse.__slots__: 24 | assert getattr(outputs_response, field) == getattr(processed, field) 25 | 26 | def test_to_json(self, outputs_response): 27 | assert json.loads(outputs_response.to_json()) == { 28 | "hostname": "hostname", 29 | "output": "output", 30 | "output_fields": {"a": "b"}, 31 | "priority": "critical", 32 | "rule": "rule", 33 | "source": "k8s_audit", 34 | "time": "2020-01-01T22:55:59.300000+00:00", 35 | "tags": ["test"], 36 | } 37 | -------------------------------------------------------------------------------- /tests/domain/test_version.py: -------------------------------------------------------------------------------- 1 | from falco import VersionRequest, VersionResponse 2 | 3 | 4 | class TestVersionRequest: 5 | def test_encode_and_decode(self, version_request): 6 | # Note: this class is empty but the test will still be valid after a schema change 7 | processed = VersionRequest.from_proto(version_request.to_proto()) 8 | for field in VersionRequest.__slots__: 9 | assert getattr(version_request, field) == getattr(processed, field) 10 | 11 | 12 | class TestVersionResponse: 13 | def test_encode_and_decode(self, version_response): 14 | processed = VersionResponse.from_proto(version_response.to_proto()) 15 | for field in VersionResponse.__slots__: 16 | assert getattr(version_response, field) == getattr(processed, field) 17 | -------------------------------------------------------------------------------- /tests/mock.py: -------------------------------------------------------------------------------- 1 | import time 2 | from concurrent import futures 3 | from datetime import datetime 4 | 5 | import grpc 6 | from dateutil import tz 7 | 8 | from falco import OutputsResponse, VersionResponse 9 | from falco.svc.outputs_pb2_grpc import add_serviceServicer_to_server as AddOutputsServiceServicerToServer 10 | from falco.svc.version_pb2_grpc import add_serviceServicer_to_server as AddVersionServiceServicerToServer 11 | 12 | MOCK_ADDRESS = "unix:///tmp/falcomock.sock" 13 | 14 | 15 | class FalcoOutputsServicer: 16 | def __init__(self): 17 | self.events = [ 18 | OutputsResponse( 19 | time=datetime(2020, 1, 1, 22, 55, 59, 300000, tz.UTC), 20 | priority=OutputsResponse.Priority.CRITICAL, 21 | source=OutputsResponse.Source.K8S_AUDIT, 22 | rule="rule", 23 | output="1", 24 | output_fields={"a": "b"}, 25 | hostname="hostname", 26 | tags=["test"], 27 | ), 28 | OutputsResponse( 29 | time=datetime(2020, 1, 1, 22, 55, 59, 300000, tz.UTC), 30 | priority=OutputsResponse.Priority.CRITICAL, 31 | source=OutputsResponse.Source.K8S_AUDIT, 32 | rule="rule", 33 | output="2", 34 | output_fields={"a": "b"}, 35 | hostname="hostname", 36 | tags=["test"], 37 | ), 38 | OutputsResponse( 39 | time=datetime(2020, 1, 1, 22, 55, 59, 300000, tz.UTC), 40 | priority=OutputsResponse.Priority.CRITICAL, 41 | source=OutputsResponse.Source.K8S_AUDIT, 42 | rule="rule", 43 | output="3", 44 | output_fields={"a": "b"}, 45 | hostname="hostname", 46 | tags=["test"], 47 | ), 48 | ] 49 | 50 | def get(self, request, context): 51 | for ev in self.events: 52 | yield ev.to_proto() 53 | 54 | def sub(self, request, context): 55 | for ev in self.events: 56 | yield ev.to_proto() 57 | 58 | 59 | class FalcoVersionServicer: 60 | def version(self, request, context): 61 | return VersionResponse( 62 | version="123456", 63 | major=1, 64 | minor=2, 65 | patch=3, 66 | prerelease="654321", 67 | build="1337", 68 | engine_version=1, 69 | engine_fields_checksum="12345678", 70 | ).to_proto() 71 | 72 | 73 | if __name__ == "__main__": 74 | outputs_servicer = FalcoOutputsServicer() 75 | version_servicer = FalcoVersionServicer() 76 | 77 | server = grpc.server(futures.ThreadPoolExecutor(max_workers=10)) 78 | 79 | AddOutputsServiceServicerToServer(outputs_servicer, server) 80 | AddVersionServiceServicerToServer(version_servicer, server) 81 | 82 | server.add_insecure_port(MOCK_ADDRESS) 83 | 84 | server.start() 85 | 86 | try: 87 | while True: 88 | time.sleep(60 * 60 * 24) 89 | except KeyboardInterrupt: 90 | server.stop(0) 91 | -------------------------------------------------------------------------------- /tests/test_client.py: -------------------------------------------------------------------------------- 1 | import pytest 2 | 3 | from falco import Client 4 | from tests.mock import MOCK_ADDRESS 5 | 6 | 7 | class TestClient: 8 | @pytest.fixture 9 | def client(self): 10 | return Client(MOCK_ADDRESS) 11 | 12 | def test_client_get_version(self, client): 13 | version = client.version() 14 | 15 | assert version.version == "123456" 16 | assert version.major == 1 17 | assert version.minor == 2 18 | assert version.patch == 3 19 | assert version.prerelease == "654321" 20 | assert version.build == "1337" 21 | assert version.engine_version == 1 22 | assert version.engine_fields_checksum == "12345678" 23 | 24 | def test_client_get_outputs(self, client): 25 | for ev in client.get(): 26 | assert ev.output in {"1", "2", "3"} 27 | 28 | def test_client_sub_outputs(self, client): 29 | for ev in client.sub(): 30 | assert ev.output in {"1", "2", "3"} 31 | --------------------------------------------------------------------------------